Vultur Android malware becomes even more malicious with remote access

According to a recent post from SecurityWeek, Android banking malware, also known as Vultur, has re-emerged with a major update that provides extensive functionality to interact with infected devices and manipulate files. Vultur first surfaced in March 2021, when the malware infects legitimate applications such as AlphaVNC and ngrok to remotely access VNC servers on victims’ devices, allowing them to be accessed through screen recorders and keyloggers. Enabled credential theft.

Upgraded Android Trojan Vultur now has full control over infected devices and access to their files

The latest version of Vultur goes even further, giving you complete control over compromised machines. This includes interfering with applications, posting custom notifications, bypassing lock screen protection, and manipulating files by downloading, uploading, installing, searching, or deleting them.

According to the NCC Group report, the malware primarily relies on AlphaVNC and ngrok for remote access, but the latest version includes enhanced anti-analysis and detection evasion mechanisms. These include multiple payloads, benign app modifications, native code for payload decryption, and AES encryption for command and control (C&C) communications.

The SMS message typically pings the victim and requests them to call a specific number immediately to address the fraudulent transaction. Shortly after, another SMS arrives on the device containing a malicious URL pointing to a modified McAfee Security package that acts as a dropper for the malware itself.

Under a dropper framework called Brunhilda, Vultur consists of three components called payloads, which are intended to facilitate subsequent execution stages. With these payloads in place, Vultur can obtain accessibility service privileges, set up AlphaVNC and ngrok, and perform core backdoor functionality.

Remote control also allows attackers to perform gestures to lock you out of your device

To support remote operations, Vultur includes seven new C&C methods that allow attackers to perform various actions such as click, scroll, and swipe gestures. When we talk about Firebase Cloud Messaging (FCM), there are also 41 new commands that take advantage of these permissions, allowing SMS communications the opportunity to not require persistent connections between sources.

The latest version of Vultur also removes the ability for users to interact with certain applications. This means that the updated Vultur poses a significant risk to Android users as it includes the ability to remotely control infected devices and manipulate files. Therefore, NCC advises Android owners to be careful.

April 2, 2024